Query/Question
We're using com.azure.core.util.Context to pass a per-request TokenCredential (an AzureTokenCredentials representing a customer's auxiliary tenant identity) into a custom HttpPipelinePolicy that stamps the
x-ms-authorization-auxiliary header on outgoing ARM requests. The pattern lets a single shared HttpPipeline serve many customers without binding any one customer's credential to the pipeline at construction time. We need a single shared HttpPipeline to scale our systems better.
Concretely:
// Caller side — per-request, per-customer:
Context ctx = new Context("x-aux-secondary-token", customerSecondaryCredential);
vmUpdate.apply(ctx); // Appliable<T>.apply(Context)
// Policy side — stateless:
public class AuxiliaryAuthPolicy implements HttpPipelinePolicy {
@Override
public Mono<HttpResponse> process(HttpPipelineCallContext context, HttpPipelineNextPolicy next) {
Optional<Object> tokenOpt = context.getData("x-aux-secondary-token");
if (tokenOpt.isPresent()) {
AzureTokenCredentials cred = (AzureTokenCredentials) tokenOpt.get();
String bearer = cred.getToken(cred.environment().resourceManagerEndpoint());
context.getHttpRequest().setHeader("x-ms-authorization-auxiliary", "Bearer " + bearer);
}
return next.process();
}
} Questions, in order of priority:
-
Does any data placed in com.azure.core.util.Context (or surfaced to a policy via HttpPipelineCallContext.getData(...)) cross the wire to Azure? Our reading of the SDK source and the JavaDoc is that Context is purely an in-memory JVM carrier — the only thing transmitted is what a policy explicitly writes onto HttpRequest. Can you confirm? A pointer to the authoritative doc/source line would help.
-
Is putting a TokenCredential reference (not a resolved bearer string) in Context considered safe by the SDK team? We've reviewed Context lifecycle (per-request, immutable, GC'd after the reactive chain terminates) and AzureTokenCredentials.toString() (defaults to Object.toString, no secret leakage). Are there any SDK-level paths — diagnostic logging, retry policies, telemetry, error reporting — that might serialize, log, or persist Context contents in a way that would expose the credential reference?
-
Is there a more idiomatic pattern for the underlying problem? Specifically: a single shared HttpPipeline (and AzureResourceManager) that needs to attach a different secondary auxiliary token per customer, without rebuilding the pipeline.
Why is this not a Bug or a feature Request?
This is a design/security review request, not a defect report or feature ask. We want guidance on whether
this is a safe and intended use of those APIs before shipping it, and whether the SDK team would steer us toward a different idiom.
Setup (please complete the following information if applicable):
- OS: Linux (production), macOS (dev)
- IDE: IntelliJ
- Library/Libraries:
com.azure:azure-core, com.azure.resourcemanager:azure-resourcemanager-compute, com.microsoft.azure:azure-client-authentication
Information Checklist
Query/Question
We're using
com.azure.core.util.Contextto pass a per-requestTokenCredential(anAzureTokenCredentialsrepresenting a customer's auxiliary tenant identity) into a customHttpPipelinePolicythat stamps thex-ms-authorization-auxiliaryheader on outgoing ARM requests. The pattern lets a single sharedHttpPipelineserve many customers without binding any one customer's credential to the pipeline at construction time. We need a single sharedHttpPipelineto scale our systems better.Concretely:
Questions, in order of priority:
Does any data placed in
com.azure.core.util.Context(or surfaced to a policy viaHttpPipelineCallContext.getData(...)) cross the wire to Azure? Our reading of the SDK source and the JavaDoc is thatContextis purely an in-memory JVM carrier — the only thing transmitted is what a policy explicitly writes ontoHttpRequest. Can you confirm? A pointer to the authoritative doc/source line would help.Is putting a
TokenCredentialreference (not a resolved bearer string) inContextconsidered safe by the SDK team? We've reviewedContextlifecycle (per-request, immutable, GC'd after the reactive chain terminates) andAzureTokenCredentials.toString()(defaults toObject.toString, no secret leakage). Are there any SDK-level paths — diagnostic logging, retry policies, telemetry, error reporting — that might serialize, log, or persistContextcontents in a way that would expose the credential reference?Is there a more idiomatic pattern for the underlying problem? Specifically: a single shared
HttpPipeline(andAzureResourceManager) that needs to attach a different secondary auxiliary token per customer, without rebuilding the pipeline.Why is this not a Bug or a feature Request?
This is a design/security review request, not a defect report or feature ask. We want guidance on whether
this is a safe and intended use of those APIs before shipping it, and whether the SDK team would steer us toward a different idiom.
Setup (please complete the following information if applicable):
com.azure:azure-core,com.azure.resourcemanager:azure-resourcemanager-compute,com.microsoft.azure:azure-client-authenticationInformation Checklist